WO2021248227A1

WO2021248227A1 - Methods and systems for encryption, decryption, signing and verification of digital messages

Info

Publication number: WO2021248227A1
Application number: PCT/CA2021/050319
Authority: WO
Inventors: Randy Kuang
Original assignee: Quantropi Inc.
Priority date: 2020-06-09
Filing date: 2021-03-10
Publication date: 2021-12-16

Abstract

A method to securely transmit a secret from a sender to a recipient, comprising: (i) computing a first cipher from the secret, at least one noise data element and a first set of public data elements, wherein the first set of public data elements correspond to a first set of recipient-held data elements that are unknown to the sender; (ii) computing a second cipher from the secret, the at least one noise data element and a second set of public data elements, wherein the second set of public data elements correspond to a second set of recipient-held data elements that are unknown to the sender; and (iii) transmitting the first cipher and the second cipher to the recipient; wherein the secret is derivable by a predefined arithmetic computation involving the first cipher, the second cipher, the first set of recipient-held data elements and the second set of recipient-held data elements.

Description

METHODS AND SYSTEMS FOR ENCRYPTION, DECRYPTION, SIGNING AND VERIFICATION OF DIGITAL MESSAGES

FIELD

The present invention relates generally to digital security measures and, in particular, to methods and systems for encrypting, decrypting, signing and verifying digital messages.

BACKGROUND

There are many techniques for encoding and signing digital messages using digital keys. Generally speaking, in the case of encryption, a sender uses a recipient’s publicly available (or public) key to encrypt a message and the recipient’s private key is used to decrypt the message. The idea is for the holder of the private key to be the only one capable of decrypting the message. In the case of signing, a sender uses their private key to sign a message and the sender’s public key is used by any recipient to verify the message. The idea here is for any recipient of a message purportedly from the sender to ascertain that the message was truly sent by that sender. In both encryption and signing, heavy reliance is placed on secretly guarding the private key and on the assumption that a user’s private key cannot be cracked from other information, such as the user’s public key and/or a message that was encrypted or signed with the user’s private key. However, this assumption is becoming precarious for most public-private key algorithms, as computing power increases.

Specifically, for a typical public-private key algorithm, there is a relationship among the private key, the public key and the result of an encrypted or signed message. For example, it is common for the keys to be based on large prime numbers. With enough computing power, one could generate many candidate private keys and test for suitability of each with respect to a given public key. Knowledge of the pre-existing relationship between the public and private keys allows one to focus on a restricted set of possible candidates, effectively providing a “shortcut” to the private key. Advances in quantum computing make it increasingly feasible to find the right private key that is associated with a public key. As such, public-private key algorithms where one key is derivable from the other based merely on computational effort are becoming less secure by the day. SUMMARY

It may thus be beneficial to devise a key-based algorithm where calculating the private component from publicly available information is not an option for an attacker, leaving brute force as the only remaining approach for the attacker to use.

It may also be beneficial to devise a digital signature process where it becomes possible to securely verify that a message purportedly sent by a particular party was indeed sent by the particular party.

According to a first broad aspect, there is provided a method, computer-readable medium and apparatus for securely transmitting a secret to a recipient over a data network. The method comprises (i) computing a first cipher from a secret data element, at least one noise data element and a first set of public data elements, the first set of public data elements corresponding to a first set of recipient- held data elements that are unknown to the sender computing apparatus; (ii) computing a second cipher from the secret data element, the at least one noise data element and a second set of public data elements, the second set of public data elements corresponding to a second set of recipient-held data elements that are unknown to the sender computing apparatus; and (iii) transmitting the first cipher and the second cipher to the recipient over the data network; wherein the secret data element is derivable by a predefined arithmetic computation involving the first cipher, the second cipher, the first set of recipient-held data elements and the second set of recipient-held data elements.

According to a second broad aspect, there is provided a method, computer-readable medium and apparatus for carrying out secure cryptographic decryption of data received from a remote device over a data network. The method comprises (i) computing a first set of public data elements and a corresponding first set of locally-held data elements; (ii) computing a second set of public data elements and a corresponding second set of locally-held data elements; (iii) causing the first set of public data elements and the second set of public data elements to be transmitted to the remote device; (iv) receiving a first cipher and a second cipher from the remote device over the data network; (v) combining the first cipher, the second cipher, the first set of locally-held data elements and the second set of locally-held data elements, to obtain a decrypted data element; and (vi) storing the decrypted data element in a non-transitory storage medium.

According to a third broad aspect, there is provided a method, computer-readable medium and apparatus for digitally signing a document for transmission to a recipient over a data network. The method comprises (i) computing a first message-dependent public variable and a second message- dependent public variable based on the document and respective combinations of a first set of locally- held data elements and a second set of locally-held data elements, the first and second sets of locally- held data elements being accessible exclusively to the local computing apparatus; (ii) computing a first result that is a first polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements associated with the local computing apparatus; (iii) computing a second result that is a second polynomial function of first second message-dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements associated with the local computing apparatus; (iv) computing a signature that is a third function of the first and second results; and (v) sending an augmented message to the recipient over the data network, the augmented message comprising the document, the first message-dependent public variable, the second message-dependent public variable and the signature, wherein the augmented message is verifiable as having been sent by the local computing apparatus by processing the elements of the augmented message.

According to a fourth broad aspect, there is provided a method, computer-readable medium and apparatus for digitally verifying an augmented message purportedly sent by a sender, the augmented message comprising a document, a first message-dependent public variable, a second message- dependent public variable and a received signature. The method comprises (i) computing a first result that is a first polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements known to the recipient computing apparatus as being associated with the sender; (ii) computing a second result that is a second polynomial function of the first message- dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements known to the recipient computing apparatus as being associated with the sender; (iii) computing a candidate signature that is a third function of the first and second results; and (iv) comparing the candidate signature to the received signature and concluding successful verification of the augmented message if the candidate signature matches the received signature and unsuccessful verification otherwise.

BRIEF DESCRIPTION OF THE DRAWINGS These and other aspects of the present disclosure will now be described in greater detail having reference to the accompanying drawings, in which:

Fig. l is a block diagram showing two computing apparatuses engaged in digital communications over a network.

Fig. 2 is a signal flow diagram illustrating, at a general level, an encryption method in accordance with a non-limiting embodiment.

Fig. 3 is a more detailed version of the signal flow diagram of Fig. 2, for the univariate case, in accordance with a non-limiting embodiment.

Fig. 4 is a more detailed version of the signal flow diagram of Fig. 2, for the multivariate case, in accordance with a non-limiting embodiment.

Fig. 5 is a flowchart illustrating a digital signing process in accordance with a non-limiting embodiment.

Fig. 6 is a block diagram showing the inner workings of a computing apparatus, in accordance with a non-limiting embodiment.

Those of skill in the art will appreciate that the drawings are to be taken as illustrative and not limiting.

DETAILED DESCRIPTION

Reference is made to Fig. 1, which illustrates two computing apparatuses 10, 20 participating in a message exchange over a data / communication network 30. The data / communication network may be any conventional public or private packet-based communications network, wired or wireless, or a combination thereof. In an embodiment, the data / communication network 30 may include the Internet. A convention is adopted herein according to which computing apparatus 10 is referred to as “Bob” and computing apparatus 20 is referred to as “Alice”. Also illustrated is a central authority 40 connected to the Alice and Bob via the data / communication network 30; in some embodiments the central authority 40 may be implemented as a web server. It is noted that an existing data / communication network 30 (e.g., Internet and/or LAN) can be used, and that the computing apparatuses 10, 20 can be desktop computers, workstations, mobile communication devices of any kind (e.g., smartphones, laptops, tablets, watches and other wearables), web servers, automatic teller machines, personal computer systems, server computer systems, thin clients, thick clients, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices. Such devices may be adapted with software or firmware (e.g., an app or other program) for encrypting, decrypting, signing and verifying digital messages transmitted over the communication network 30.

In an embodiment, Bob generates at least two data elements, which can be referred to as “keys”, each comprising a public component and private component, in the manner to be described below. Specifically, Bob’s first key (P, po) includes a public component P and a private component po, whereas Bob’s second key (Q, qo) includes a public component Q and a private component qo. Bob’s public components P, Q are made available to Alice directly (via the data / communication network 30) or through the central authority 40. To this end, Bob may send Bob’s public components P, Q to the central authority 40, and the central authority 40 may send Bob’s public components P, Q to Alice upon request (e.g., by Alice providing Bob’s identifier to the central authority 40 and the central authority 40 sending Bob’s public components in return), or the central authority 40 may maintain Bob’s public components P, Q in a database for consumption by Alice. Bob’s private components po, qo are maintained by Bob securely in a memory of the computing apparatus associated with Bob. In some embodiments, the public components P, Q may be encapsulated in Internet Protocol packets (IP) as they travel towards Alice, possibly over the data / communication network 30.

There are at least two main use cases for the keys, one being encryption and the other one being signing. Other use cases may become apparent to those of skill in the art.

Encryption use case

In the encryption use case, Alice wishes to securely send a digital message, denoted s, to Bob. The digital message s can be referred to as a secret message (or simply a “secret”). To this end, and as shown in the signal flow diagram of Fig. 2, Alice produces two ciphers P_s, Q_s from the same secret message s and each of Bob’s public components P, Q. Alice sends the ciphers P_s, Q_s to Bob. Bob extracts the secret message s from (i) the ciphers P_s, Q_s; (ii) Bob’s private components po, qo; and (iii) two subsets of “additional information” that was used to generate the keys (P, po), (Q, qo). Because of this “additional information” (which is held by Bob and used in the generation of the keys in the manner described in greater detail herein below), only Bob can decrypt the ciphers P_s, Q_s to extract the secret message s sent by Alice. In some embodiments, Bob’s public component P includes a set of public data elements that are coefficients of a first polynomial and Bob’s public component Q includes a set of public data elements that are coefficients of a second polynomial. The polynomials can be of any order (e.g., 5 or higher) and can be of any number of variables (univariate, bi-variate, tri-variate or higher).

Also, for the sake of terminology, Bob’s private component po and one of the two subsets of the “additional information” (denoted {¾}) can together be referred to as a first set of locally-held data elements (of which there are three if n_p = 1, for example), and Bob’s private component qo and the other subset of the “additional information” (denoted {bi}) can together be referred to as a second set of locally-held data elements. The first and second sets of locally-held data elements are not shared with Alice.

A relationship exists between the public and private components of the two keys. In particular, as will be shown below, the keys (P, po), (Q, qo) are generated in such a way that a quotient of the two ciphers P_s, Q_s, when each is augmented by a respective one of the private components po, qo, is equal to a quotient of two lower-order (e.g., affine or quadratic, or even cubic or quartic) functions of the secret message s, the coefficients of each of these affine (or quadratic etc.) functions being selected from the {¾} and the {bi}.

Since Bob knows all of the locally-held data elements (po, qo, {¾}, {bi}), Bob can solve for the secret message s through simple arithmetic (i.e., by using a suitable technique to find the root(s) of an affine or quadratic or cubic or quartic equation). In the case of a non-affme equation (quadratic, etc.), there are multiple roots, and the one that corresponds to the secret message s must be appropriately selected. For this purpose, root verification information can be sent by Alice. By way of non-limiting example, the root verification information can be the result of a hash function performed on the secret message s (e.g., a few bits), so that when Bob applies this hash function to the multiple roots it computes, only one of these will match the bits received from Alice.

However, an attacker does not know the locally-held data elements. This means that the attacker is faced with finding the roots of the aforementioned first and second polynomials in order to solve for the secret message s. This can be made arbitrarily difficult to solve by choosing the order and the number of variables of the first and second polynomials. For example, the first and second polynomials can have an order of 5, 10, 100, 1000 or more or anywhere in between, and the number of polynomial variables can be 1, 2, 3 or higher. Let Z denote the number of polynomial variables. The uses cases for Z=1 (univariate) and Z>1 (multivariate) are now described in greater detail.

Univariate encryption use case (Z=l)

With additional reference to Fig. 3, generation of the keys (P, po) and (Q, qo) is now described. Specifically, Bob selects a “base polynomial” U(x) and two “entanglement polynomials” p(x), q(x). In this embodiment, the base polynomial U(x) is univariate. The base polynomial U(x) has coefficients ui, referred to as base data elements. Specifically, Ui is the coefficient of x¹ (namely, x to the power i), where i ranges from 0 to n. The entanglement polynomials p(x), q(x) also have coefficients, referred to as entanglement data elements. Specifically, for the first entanglement polynomial p(x), a, is the coefficient of x¹, where i ranges from 0 to n_p, whereas for the second entanglement polynomial q(x), bi is the coefficient of x¹, where i ranges from 0 to n_q. For the purposes of this description, the coefficients and variables, are defined over the Galois field GF(M) where M is prime over an N-bit field, and where N is selected to be sufficiently high, such as 256 or higher, for example. The various polynomial coefficients themselves need not be N-bits long (e.g., they may be 32-bits, 64-bits, etc.). In a non-limiting embodiment, Bob’s computing apparatus may comprise or implement a random number generation function for selecting the various coefficients ui, αi and bi.

In an embodiment, Bob generates the key (P, po) by multiplying the base polynomial U(x) with the first entanglement polynomial p(x). This gives a univariate polynomial UP(x) = U(x)p(x) of degree n + n_p. The coefficients of the non-zero-order terms of this polynomial product are collectively referred to as Bob’s public component P, whereas the coefficient of the zero-order term of this polynomial product is referred to as Bob’s private component po. In other words, UP(x) = po + (Pix + P2X² + P3X³ + ... + Pn+n_Px^n+np), where Pi...P_n+np are taken to be the elements of Bob’s public component P, and each of the Pi is a function of the coefficients m of base polynomial U(x) and the coefficients {¾} of the first entanglement polynomial p(x). For n_p = 1 (such that {¾} = (ao, ai }), this can be expressed in matrix notation as follows:

As such, Bob’s public component P = {Pi} is the result of the coefficients of p(x) being entangled with the coefficients of the base polynomial U(x), thus p(x) is referred to as an “entanglement polynomial” (in this case, the “first” entanglement polynomial, as a second such polynomial is described below).

Similarly, in an embodiment, Bob generates the key (Q, qo) by multiplying the base polynomial U(x) with the second entanglement polynomial q(x). This gives a univariate polynomial UQ(x) = U(x)q(x) of degree n + n_q. The coefficients of the non-zero-order terms of this polynomial product are collectively referred to as Bob’s public component Q, whereas the coefficient of the zero-order term of this polynomial product is referred to as Bob’s private component qo. In other words, UQ(x) = qo + (Qix + Q2X² + Q3X³ + . . . + Qn+n_qx^n+nq), where Qi . . . Q_n+nq are the elements of Bob’ s public component Q, and each of the Qi is a function of the coefficients m of base polynomial U(x) and the coefficients bi of the second entanglement polynomial q(x).

As will become clear from the description below, it may be advantageous to keep n_p and n_q to a lower order, such as 1 or 2 (with roots that are considered to be analytically calculable or mathematically solvable) and to keep n to a higher order, such as 5 or more (with roots that are increasingly difficult to find as n increases).

From Alice’s perspective, Alice uses Bob’s public component P as non-zero-order coefficients applied to the secret message s, thereby to generate the cipher P_s. Specifically, Alice generates P_s = Pis + P_2S ² + P_3S ³ + . . . + P_n+npS ^n+np, where Pi. . .P_n+np are the elements of Bob’s public component P. Also, Alice uses Bob’s public component Q as non-zero-order coefficients applied to the secret message s, thereby to generate the cipher Q_s. Specifically, Alice generates Q_s = Qis + Q_2S ² + Q_3S ³ + . . . + Q_n+nqs^n+nq, where Qi . . . Q_n+nq are the elements of Bob’ s public component Q. Alice then sends the ciphers P_s and Q_s back to Bob for decryption of the secret message s.

Bob is now the recipient of P_s and Q_s, which are ciphers resulting from encryption of s with Bob’s public components P and Q, respectively. In this context, recall that

UP(s) = po + (PlS + P2S² + P3S³ + . . . + Pn+n_pS ⁿ⁺ⁿP) = po + Ps and

UQ(s) = qo + (QlS + Q2S² + Q3S³ + . . . + Qn+n_qS ^n+nq) = qo + Qs.

Based on the above, consider a first expression for the quotient UP(s) / UQ(s):

UP(s) / UQ(s) = (po + Ps) / (qo + Qs), Equation 1 from which it is noted that all of the terms po, P_s, qo, Q_s are known to Bob (with P_s, Q_s having been received from Alice and po, qo having been securely stored in memory by Bob).

An important mathematical relationship is now exploited by Bob. Specifically, recall that UP(x) = U(x)p(x), and that UQ(x) = U(x)q(x). Therefore, one has:

UP(x) / UQ(x) = U(x)p(x) / U(x)q(x) = p(x) / q(x). In other words:

UP(s)/UQ(s) = p(s)/q(s). Equation 2

One can then equate the two expressions for the quotient, or modulo division, UP(s) / UQ(s) from Equations 1 and 2 above:

UP(s) / UQ(s) = p(s) / q(s) = (po + P_s) / (qo + Qs), which yields:

(qo + Q_s) * p(s) = (po + Ps) * q(s) Equation 3

Assuming that p(s) and q(s) are polynomials with solvable roots (e.g., n_p and n_q are 1 or 2, i.e., p(x) and q(x) are linear or quadratic or cubic or quartic (in some cases)), one can solve Equation 3 for s, which is the secret message sent by Alice. In the case of a quadratic, cubic or quartic, there are multiple roots, and the one that corresponds to the secret message s must be appropriately selected. For this purpose, the result of a hash function performed on the secret message s (e.g., 2-8 bits) can be sent by Alice, so that when Bob applies the same hash function to the multiple candidate roots it computes, only one of the hash function results will match the bits received from Alice.

Consider now that an attacker gains access to Bob’s public components P, Q and to the ciphers P_s, Q_s. The attacker will be faced with the following problem:

PlS + P2S² + P3S³ + . . . + Pn+n_pSⁿ⁺ⁿP = P_s

QlS + Q2S² + Q3S³ + . . . + Qn+n_qS^n+nq = Qs.

The attacker must therefore solve for the roots of an (n+n_p)-th order equation and (n+n_q)-th order equation:

Pis + P2S² + P3S³ + ... + P_n+npsⁿ⁺ⁿP - P_s = 0 Equation 4

Qis + Q2S² + Q3S³ + ... + Qn+n_qs^n+nq - Qs = 0 Equation 5

It has been postulated that the general form of Equations 4 and 5 does not have an analytical solution, when the degree of the equation is 5 or higher. Reference is made to the theorems of Abel-Ruffmi and Galois (see Abel, N. H. "Beweis der Unmoglichkeit, algebraische Gleichungen von hoheren Graden als dem vierten allgemein aufzulosen" J. reine angew. Math. 1, 65, 1826; Abel, N. H. (1881) [1824], "Mémoire sur les iquations algibriques, oil Von dimontre I'impossibilite de la risolution de liquation générale du cinquieme degre'\ in Sylow, Ludwig (in French), (Euvres Completes de Niels Henrik Abel, I (2nd ed.), Grondahl & Son, pp. 28-33; Tignol, Jean-Pierre (2001). Galois ’ Theory of Algebraic Equations. World Scientific, pp. 232-3, 302. ISBN 978-981-02-4541-2, all three documents are hereby incorporated by reference herein). Even if a solution can be found, it becomes increasingly difficult to do so as the degree of the equation increases, which can be achieved by increasing n.

Given the above system of 2 such equations (Equations 4 and 5), making the degree of each equation n+1 or higher (i.e., 6 or higher, such as 10, 100 or 1000 or more or anywhere in between) makes the system unsolvable or difficult to solve for s using radicals or another analytical approach, at least based on the scientific limits of today.

Consequently, as long as each of n+n_p and n+n_q is 6 or higher (or n is at least 5, since n_p and n_q are at least 1), an attacker should find it extremely difficult or even impossible to solve Equations 4 and 5 for s. Ultimately, the attacker would need to try an arbitrary value of s to see whether the equation is solved. There is no “shortcut” (to a reduced number of candidates) if the base polynomial U(x) has a degree of at least n = 5. This amounts to brute force guessing of the secret message s, which is not a viable approach when N (the size of the Galois field) is raised to 256 or higher, even using today’s quantum computers.

Example

Consider that p(x) = aix + ao and q(x) = bix + bo. From the above Equation 3, this leads to:

(qo + Qs) * (ais + ao) = (po + Ps) * (bis + bo), or: s = ((bo * (po + Ps)) - (ao * (qo + Qs))) / (((ai * (qo + Qs)) - (bi * (po + P_s))). Equation 6

As such, the secret message s can be extracted by Bob. Specifically, Bob may compute the quotient of (i) a linear combination (e.g., a sum) of the first cipher P_s and the first private component po and (ii) a linear combination (e.g., a sum) of the second cipher Q_s and the second private component qo. In addition, Bob may derive the secret message s by computing a predetermined algebraic expression involving (i) said quotient, (ii) the first entanglement data elements ao, ai and (iii) the second entanglement data elements bo, bi. It is noted that all terms on the right of the equals sign in Equation 6 are known to Bob, and moreover the locally held data elements (namely, the first subset of locally-held data elements po, ao, ai and the second subset of locally-held data elements qo, bo and bi) are known to Bob but not to Alice or anyone else (including an attacker). As such, the private components po, qo are intricately linked to the entanglement coefficients (in this case ao, ai, bo, bi) in order to enable truly secure communications. Without po, qo, ao, ai, bo and bi, an attacker simply cannot solve for s, and is forced into brute force / trial and error, which makes the present technique highly secure for financial transactions, blockchain transactions or any other sensitive communications.

As such, the base polynomial U(x) can be designed with a degree that is sufficiently high so that the secret message s is difficult to derive from the first public component P, the first cipher P_s, the second public component Q and the second cipher Q_s. To further enhance the difficulty of deriving the secret message, the base polynomial can be made multivariate, as is now described.

Multivariate encryption use case (Z>1)

Where Z>1, the sender chooses Z-l noise data elements that act as variables that an attacker (who doesn’t have knowledge of the private data elements) must take into consideration when solving, but these noise data elements don’t change anything in the way that the recipient computes the secret using the private data elements.

With additional reference to Fig. 4, generation of the keys (P, po) and (Q, qo) is now described. Specifically, Bob selects a multivariate “base polynomial” U(x,y,z) and two “entanglement polynomials” p(x), q(x). In this embodiment, the base polynomial U(x,y,z) is tri-variate. The base polynomial U(x) has coefficients ui_jk, referred to as base data elements. Specifically, Ui_jk is the coefficient of x¹ y^J z^k (namely, x to the power i, y to the power j and z to the power k), where i ranges from 0 to n, j ranges from 0 to m and k ranges from 0 to /. The entanglement polynomials p(x), q(x) also have coefficients, referred to as entanglement data elements, which may be similar to that which was previously described. For example, for the first entanglement polynomial p(x), ¾ is the coefficient of x¹, where i ranges from 0 to n_p, whereas for the second entanglement polynomial q(x), bi is the coefficient of x¹, where i ranges from 0 to n_q. For the purposes of this description, the coefficients, variables and other data elements may be defined over the Galois field GF(M) where M is prime over an N-bit field, and where N is selected to be sufficiently high, such as 256 or higher, for example. In a non-limiting embodiment, Bob’s computing apparatus may comprise or implement a random number generation function for selecting the various coefficients Ui_jk, a, and bi.

In an embodiment, Bob generates the key (P, po) by multiplying the base polynomial U(x,y,z) with the first entanglement polynomial p(x). This gives a tri-variate polynomial UP(x,y,z) = U(x,y,z)p(x) of degree n + n_p in the variable x, of degree m in the variable y and of degree / in the variable z. The coefficients of the non-all-zero-order terms of this polynomial product are collectively referred to as Bob’s first public component P, whereas the coefficient of the all-zero-order term of this polynomial product is referred to as Bob’s private component po. In other words:

where means to exclude the case of i = j = k = 0.

Here, the set of {Pi_jk} (0 < i < n + n_p, 0 < j < m, 0 < k < /, except i = j = k = 0) are taken to be the elements of Bob’s public component P, and each of the Pi_jk is a function of the coefficients Ui_jk of the multivariate base polynomial U(x,y,z) and the coefficients ¾ of the first entanglement polynomial p(x). As such, Bob’s public component P is the result of the coefficients of p(x) being entangled with the coefficients of the base polynomial U(x,y,z), thus p(x) is referred to as an “entanglement polynomial” (in this case, the “first” entanglement polynomial, as a second such polynomial is described below).

Similarly, in an embodiment, Bob generates the key (Q, qo) by multiplying the base polynomial U(x,y,z) with the second entanglement polynomial q(x). This gives a univariate polynomial UQ(x,y,z) = U(x,y,z)q(x) of degree n + n_q in the variable x, of degree m in the variable y and of degree / in the variable z. The coefficients of the non-all-zero-order terms of this polynomial product are collectively referred to as Bob’s second public component Q, whereas the coefficient of the all-zero-order term of this polynomial product is referred to as Bob’s private component qo. In other words,

again where means to exclude the case of i = j = k = 0.

Here, the set of {Qi_jk} (0 < i < n + n_q, 0 < j < m, 0 < k < /, except i = j = k = 0) are taken to be the elements of Bob’s public component Q, and each of the Qi_jk is a function of the coefficients u_ijk of the multivariate base polynomial U(x,y,z) and the coefficients bi of the second entanglement polynomial q(x).

From Alice’s perspective, Alice chooses the secret s as well as Z-l noise data elements. Since Z=3 in this embodiment, Alice chooses two noise data elements denoted t and u. These can be any quantity, including a randomly generated or non-randomly generated quantity. Bob’s public component P is then used as non-all-zero-order coefficients applied to the secret message s, the first noise data element t and the second noise data element u, in order to generate the cipher P_s, as follows:

Similarly, Alice uses Bob’s public component Q as non-all-zero-order coefficients applied to the secret message s, the first noise data element t and the second noise data element u, in order to generate the cipher Q_s, as follows:

Alice then sends the ciphers P_s and Q_s back to Bob for decryption of the secret message s.

and

Now, replace x, y and z with s, t and u. One obtains:

and

Based on the above, consider a first expression for the quotient UP(s) / UQ(s):

UP(s,t,u) / UQ(s,t,u) = (po + P_s) / (qo + Qs), Equation 7 from which it is noted that all of the terms po, P_s, qo, Q_s are known to Bob (with the ciphers P_s, Q_s having been received from Alice and private data elements po, qo having been securely stored in memory by Bob).

An important mathematical relationship is now exploited by Bob. Specifically, recall that UP(x,y,z) = U(x,y,z)p(x), and that UQ(x,y,z) = U(x,y,z)q(x). Therefore, one has:

UP(x,y,z) / UQ(x,y,z) = U(x,y,z)p(x) / U(x,y,z)q(x) = p(x) / q(x), where p(·) and q(·) are the first and second entanglement polynomials, respectively.

In other words:

UP(s,t,u) / UQ(s,t,u) = p(s) / q(s). Equation 8

Of note is the fact that this quotient is independent of t and u.

One can then equate the two expressions for the quotient, or modulo division, UP(s,t,u) / UQ(s,t,u) from Equations 7 and 8 above:

UP(s,t,u) / UQ(s,t,u) = p(s) / q(s) = (po + P_s) / (qo + Qs), which yields:

(qo + Qs) * p(s) = (po + Ps) * q(s) Equation 3

(This is the same as Equation 3 described in the univariate case.)

Assuming that p(s) and q(s) are polynomials with solvable roots (e.g., n_p and n_q are 1 or 2, i.e., p(x) and q(x) are linear or quadratic or cubic or quartic (in some cases)), Bob can solve Equation 3 for s, which is the secret message sent by Alice (in the case of multiple roots, a root selection / confirmation process is needed). Again, it is noted that this computation is independent of the noise data elements t and u that are selected by Alice. This means that the multivariate implementation does not render legitimate decryption more computationally complex than the univariate implementation. However, it can make things much more difficult for an attacker.

For example, consider that an attacker gains access to Bob’s public components P, Q (which can be expected, as they are public) and to the ciphers P_s, Q_s (e.g., through interception of the communication from Alice to Bob). The attacker will be faced with the following problem:

These 2 equations in 3 variables have only one common factor, which makes it an NP-complete problem. For an attacker to attempt to solve this problem, the attacker would need to select values for noise data elements t and u then turn it into a univariate polynomial, which is still subject to the aforementioned solvability constraints for (n + n_p) > 5 and (n + n_q) > 5 (see above reference to the theorems of Abel-Ruffmi and Galois). Yet the sum of n + n_p (or n_q) + m + / can be made much higher (e.g., 10, 100 or 1000 or more or anywhere in between), which renders the system of equations extremely difficult to solve for s. Moreover, a simple change in the noise data elements t and/or u by Alice confuses the attacker even more because he/she does not know the difference between solving for s, solving for t or solving for u. In fact, randomly choosing the noise data elements t and u cause the problem of solving for s to be super exponential over GF(M): 0(M²) in big “O” notation. Therefore, noise variables (or noise data elements) are extremely powerful to block possible attacks.

Ultimately, the attacker would resort to brute force guessing of the secret message s, which is not a viable approach - even using future’s quantum computers - when N (the size of the Galois field) is raised to 256 or higher.

Example

(qo + Qs) * (ais + ao) = (po + P_s) * (bis + bo), or: s = ((bo * (po + Ps)) - (ao * (qo + Qs))) / (((ai * (qo + Qs)) - (bi * (po + Ps))). Equation 6 (This is the same as Equation 6 described in the univariate case.)

As such, the secret message s can be extracted by Bob. Specifically, Bob may compute the quotient of (i) a linear combination (e.g., a sum) of the first cipher P_s and the first private component po and (ii) a linear combination (e.g., a sum) of the second cipher Q_s and the second private component qo. In addition, Bob may derive the secret message s by computing a predetermined algebraic expression involving (i) said quotient, (ii) the first entanglement data elements ao, ai and (iii) the second entanglement data elements bo, bi.

It is noted that all terms on the right of the equals sign in Equation 6 are known to Bob, and moreover the locally held data elements (namely, the first subset of locally-held data elements po, ao, ai and the second subset of locally-held data elements qo, bo and bi) are known to Bob but not to Alice or anyone else (including an attacker). As such, the private components po, qo are intricately linked to the entanglement coefficients (in this case ao, ai, bo, bi) in order to enable truly secure communications. Without po, qo, ao, ai, bo and bi, an attacker simply cannot solve for s, and is forced into brute force / trial and error, which is the ultimate demonstration of security, since such an approach is always available.

As such, the above techniques are highly secure for financial transactions, blockchain transactions or any other sensitive communications from Alice to Bob. This can be done in real time, since there the encryption process is as simple as a polynomial calculation (and using modulo arithmetic). Of course, Bob can use the same technique to transmit confidential information to Alice by encrypting it with Alice’s public components (e.g., obtained from the central authority), whereby Alice would decrypt such messages using its own version of po, qo, ao, ai, bo and bi.

Those of skill in the art will appreciate that N (the size of the Galois field) is chosen to be sufficiently high so that a brute force search for the roots of a univariate or multivariate polynomial of a certain degree (at least as high as 5 in at least one variable and possibly higher, such as 10, 100, 1000 or higher or anywhere in between) is not a viable approach, even for a powerful quantum computer. A suitable value for N may be 256 bits, but this may be increased (e.g., 512 or 1024 or even more, and not necessarily a power of 2).

Those of skill in the art will also appreciate that in some embodiments, some or all of the arithmetic or numeric computations involving the various data elements are done modulo M, where M is a suitably large prime number over GF(2^N). For example, M can be a randomly generated prime number between 2 and 2^N-1. Module M division ensures accuracy of arithmetic operations, such as modulo division. (Generally speaking, for modulo division, M is only needed to be co-prime with the denominator, but this may be problematic since the denominator is unknown a priori, as such keeping M prime ensures accuracy.) The value of M may form part of the information openly shared or distributed by Bob, since Alice would need to know M in order to properly carry out its computations of the ciphers P_s, Q_s using modulo arithmetic. As such, M may be a public variable associated with Bob and available to Alice.

It should also be appreciated that although the above description has shown in detail the univariate and trivariate cases, other embodiments of the encryption use case may cover the bivariate case (Z= 2) and still other embodiments may cover a multivariate case for Z greater than or equal to 4. It is expected that the greater the number of variables, the more difficult the problem becomes to solve for an attacker, with a marginal increase in complexity for the sender of the encrypted secret and no change in the complexity or computations from the point of view of the decryption process.

Signing use case

In the signing use case, now described with reference to Fig. 5, a “signer” (e.g., Bob) is configured to sign a digital message (sometimes referred to as a “document”) denoted d, which is then sent to and processed by a “verifier” (e.g., Alice). The method broadly involves Bob computing a first message- dependent public variable (denoted t in the signing use case, not to be confused with the first noise data element in the encryption use case) and a second message-dependent public variable (denoted u in the signing use case, not to be confused with the second noise data element in the encryption use case), based on the document d and respective combinations of a first set of locally-held data elements and a second set of locally-held data elements. It is noted that the first and second sets of locally-held data elements are accessible exclusively to Bob. As such, it is envisaged that the first and second sets of locally-held data elements can be the private data elementsjai} and {bi} as previously described in connection with the encryption use case.

In a specific non-limiting embodiment, the first and second message-dependent public variables can be a hash function applied to a function (e.g. a concatenation) of (i) the document d and (ii) a function (e.g., XOR) of the first (or second) set of locally-held data elements.

For example, for the first message-dependent public variable, one may have: t = H(d I ao XOR ai), and for the second message-dependent public variable, one may have: u = H(d I bo XORbi), where “|” denotes the concatenation operator and the hash function H(·) can be one of, or a combination of, various hash algorithms described in, for example, Practical Cryptography: Algorithms and Implementations Using C++, by Saiful Azad and Al-Sakib Khan Pathan (Editors), ISBN-10: 9781482228892, hereby incorporated by reference herein. Another type of suitable hash function is described in Applicant’s PCT application PCT/CA2021/050147, filed February 11, 2021, hereby incorporated by reference herein. It is noted that generating message-dependent public variables based on the document d and using a function of the private data elements such as an XOR does not leak the private data elements.

Continuing with the signing method, Bob may compute a first result P_s that is a first polynomial function of the first message-dependent public variable t and the second message-dependent public variable u, wherein the coefficients Pi_jk of the first polynomial function are Bob’s first pubic component P, as described in connection with the encryption use case. For example, one may have:

^k mod M, where, in the signing use case, s is a new function of (i) the document d, (ii) the first message- dependent public variable t and (iii) the second message-dependent public variable u. In this case, s is not to be confused with the secret message s in the encryption use case. For example, one may have: s = H(d 1 1 1 u).

Of course, other functions of (i) the document d, (ii) the first message-dependent public variable t and (iii) the second message-dependent public variable u can be used to create s, which is in fact an intermediate variable created for notational convenience.

Similarly, Bob may compute a first result Q_s that is a second polynomial function of the first message- dependent public variable t and the second message-dependent public variable u, wherein the coefficients ⁽¾_k of the second polynomial function are Bob’s second pubic component Q. For example, one may have:

where s is as previously defined for the signing use case.

At this point, Bob may compute a signature s that is a third function of the first and second results. In a non-limiting embodiment, the signature s may be computed as the quotient of P_s and Q_s, mod M.

Bob then creates an augmented message nu, comprising the document d, the first message-dependent public variable t, the second message-dependent public variable u and the signature s.

The augmented message nu is transmitted to a verifier (e.g., Alice) over a network (e.g., the data / communications network 30 ,such as the Internet). Alternatively, the augmented message nu may be stored in a computer memory (e.g., smartphone memory, USB key, etc.) and ultimately transmitted to the verifier (either physically or over a data network). In the signing use case, the issue is not necessarily one of unbreakable security of the augmented message a_M reaching the verifier, but rather to ensure that if a message is received by the verifier that is allegedly from a given signer (e.g., Bob), then based on what appears to be the signature associated with that received message, together with publicly available information about Bob (e.g., Bob’ s public components P and Q), the verifier should be able to verify that the message did indeed originate from Bob and nobody else. Nonetheless, if secure transmission of the signature s (as well as the first and second message-dependent public variables t, u) is required, this can be ensured by encrypting these data elements with the verifier’s own public components (e.g., as was described earlier in the encryption use case).

Specifically, to ensure secure transmission of the signature s, the first message-dependent public variable t and the second message-dependent public variable u from the sender to the verifier, these data elements can be encrypted using the verifier’s public components in much the same way as Alice encrypted the secret message using Bob’s public components in the example described above with reference to Figs. 2 to 4. In this way, the verifier decrypts the received signature and message- dependent public variables using the verifier’s own private components and entanglement coefficients, which would ensure there has been no tampering with the data sent by the signer. Other techniques for ensuring secure transmission of data elements from the signer to the verifier are also possible.

The verifier ultimately receives the augmented message nu It continues to be assumed that the signer is Bob and the verifier is Alice. As the verifier, Alice performs a verification process, which includes processing the augmented message nu and Bob’s public components P, Q in order to gain assurance that the document d did indeed originate from Bob. In particular, the verification process may include Alice generating a “candidate signature” from the information in the augmented message nu and comparing the candidate signature to the signature s included in the received augmented message nu

The verification process is now described in greater detail with continued reference to Fig. 5.

Alice computes a first candidate result P*_s that is a first polynomial function of the first message- dependent public variable t and the second message-dependent public variable u contained in the augmented message nu The coefficients of the first polynomial function are the terms of Bob’s first public component P. Similarly, Alice computes a second candidate result Q*_s that is a second polynomial function of the first message-dependent public variable t and the second message- dependent public variable u contained in the augmented message nu The coefficients of the second polynomial function are the terms of Bob’s second public component Q. It is noted that P and Q are publicly available data elements known to Alice as being associated with Bob, and may include the complete set of coefficients of all non-all-zero terms of a univariate or multivariate polynomial.

In addition, Alice computes a candidate signature s* that is a third function of the first candidate result P*_s and the second candidate result Q*_s. For example:

Of course, a function other than a quotient can be used, depending naturally on the function used by the sender to create the signature in the first place.

Finally, Alice compares the candidate signature s* to the received signature s (in the augmented message nu) and concluding that verification of the augmented message a_M is successful if the candidate signature s* matches the received signature s, and concluding that verification is unsuccessful otherwise.

In the case of an unsuccessful verification, Alice may cause a signal indicative of an alarm to be issued in so as to indicate a suspicion that an impostor of Bob may have sent the augmented message nu This signal may be output by the computing device 20 and may include a message sent over the data / communications network 30.

The foregoing provides enhanced security because knowledge of the signature s, the first message- dependent public variable t, the second message-dependent public variable u and the document d does not reveal any of Bob’s privately held data elements ({¾}, {bi}, as well as of course po and qo, which are not required for the signing use case).

To enhance security and improve resistance to tampering, certain embodiments can utilize a layer of indirection to ensure that when a signature s for a given document d is transmitted in an augmented message nu, it is the correct signature for that message. For example, each time a signature s is created for a document d, Bob publishes the signature s and the message-dependent public variables t, u to a third party database, in association with Bob’s public components P, Q and a hash h of the document d. Thus, when Alice receives the augmented message nu from Bob, Alice can check the third party database, on the basis of Bob’s public components P, Q and the hash h to find the signature s and the message-dependent pubic variables t, u. If the signature and the message-dependent pubic variables t, u published in the third party database match the signature s and the message-dependent pubic variables t, u in the augmented message nu, then Alice has confirmed that the signature s is associated with the document d (and has not been tampered with); what remains is to verify that it originates from Bob, as described above.

Additional Remarks

Those of skill in the art will appreciate that in some embodiments, some or all of the aforementioned numeric and/or arithmetic computations involving the various data elements are done modulo M over the Galois field GF(2^N). In the encryption use case, it may be advantageous to choose M to be a fixed but arbitrary and suitably large prime number. In the signing use case, there is no division, and therefore M does not need to be a prime number. Instead, M can be a suitably large number, such as the largest number in the Galois Field GF(2^N). Non-limiting examples include M = 2^N-1 where N = 64, 128, 256, 1024 or more, and anywhere in between. In other cases, M need not be the largest number in the Galois Field GF(2^N). Alternatively, M may be a randomly generated N-bit number, whereby M is a value associated with Alice and made available to Bob. Accordingly, Alice’s computing apparatus may implement a random number generator, and the value of M may be communicated to Bob in a message or via the central authority 40. In that way, M can be considered another publicly available data element associated with Bob.

Referring now to Fig. 6, a schematic of a non-limiting example of a computing apparatus 212, also referred to as a computer system/server, is shown. Computing apparatus 212 is only one example of a suitable apparatus and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein. The computing apparatus 212 is capable of implementing and/or performing any of the functionality set forth herein above. Separate computing apparatuses 212 may be used to implement and/or perform the functionalities associated with Alice 20, Bob 10 and/or the certification authority 40. As such, when referring to Alice and Bob performing actions, this is intended to reflect actions performed by the appropriate computing apparatus, which can have the role of a sender and/or recipient of data in the encryption use case or the signing use case. In some embodiments, a single computing apparatus may implement the functionality of a sender in one direction of communication and of a recipient in the other. The computing apparatus 212 may be described in the general context of computer-readable instructions, such as program modules, being executed by a processor. Generally, program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. The computing apparatus 212 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

As shown in Fig. 2, the computing apparatus 212 may include, but is not limited to, one or more processors or processing units 216, a system memory 228, and a bus 218 that couples various system components including system memory 228 to processor 216.

The bus 218 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.

The computing apparatus 212 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by the computing apparatus 212, and it includes both volatile and non-volatile media, removable and non-removable media.

System memory 228 can include computer system readable media in the form of volatile memory, such as random access memory (RAM) 230 and/or cache memory 232. The computing apparatus 212 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, storage system 234 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a "hard drive"). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected to the bus 218 by one or more data media interfaces. As will be further depicted and described below, the memory 228 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the.

A program/utility 240, having a set (at least one) of program modules 242, may be stored in the memory 228 by way of example, and not limitation, as well as an Operating System, one or more application programs, other program modules, and program data. Each of the Operating System, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment. Program modules 242 may generally carry out the functions and/or methodologies of various embodiments as described herein.

The computing apparatus 212 may also communicate with one or more external devices 214 such as a keyboard, a pointing device, a display 224, etc.; one or more devices that enable a user to interact with the computing device 210; and/or any devices (e.g., network card, modem, etc.) that enable the computing device 210 to communicate with one or more other computing devices. Such communication can occur via Input / Output (EO) interfaces 222. Still yet, the computing device 210 can communicate with one or more networks 30 such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter 220. As depicted, the network adapter 220 communicates with the other components of the computing apparatus 212 via the bus 218. It should be understood that although not shown, other hardware and/or software components could be used in conjunction with the computing apparatus 212. Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.

Embodiments may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the disclosure, including processes or methods.

The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, Firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field- programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart/signal flow illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to various embodiments. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowcharts and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the Figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

The descriptions of the various embodiments of the present invention have been presented for purposes of illustration and are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

It is appreciated that throughout the specification discussions utilizing terms such as “processing”, “computing”, “calculating”, “determining”, “analyzing” or the like, refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities into other data similarly represented as physical quantities.

In some cases, calculations may be referred to as involving a “polynomial” in order to facilitate understanding of certain concepts and features; operations are nevertheless carried out electronically using arithmetic operations with arrays or other data structures. As such, where reference is made to data elements being coefficients of a polynomial, and where such data elements or coefficients are applied to another data element (such as a digital message, an intermediate data element, etc.) used as a variable of the polynomial, this may be carried out in machine language in a variety of ways, for example, by array multiplication or other arithmetic operations.

Additionally, reference throughout this disclosure to “one embodiment,” “exemplary embodiment,” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an exemplary embodiment,” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment, although this may be the case in some instances. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner, as would be apparent to one of ordinary skill in the art from this disclosure, in one or more embodiments. Similarly it should be appreciated that, in the above description of example embodiments, various features are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. This method of disclosure, however, is not to be interpreted as reflecting an intention more features are features are required than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects may lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment. Furthermore, while some embodiments described herein include some but not other features included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention, and form different embodiments, as would be understood by those in the art. For example, in the following claims, any of the claimed embodiments can be used in any combination.

As used herein, unless otherwise specified, the use of the ordinal adjectives “first”, “second”, “third”, etc., to describe a common object or step, merely indicate that different instances of like objects or steps are being referred to, and are not intended to imply that the objects or steps so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.

It is noted that various individual features of the inventive processes and systems may be described only in one exemplary embodiment herein. The particular choice for description herein with regard to a single exemplary embodiment is not to be taken as a limitation that the particular feature is only applicable to the embodiment in which it is described. All features described herein may be equally applicable to, additive, or interchangeable with any or all of the other exemplary embodiments described herein and in any combination or grouping or arrangement. In particular, use of a single reference numeral herein to illustrate, define, or describe a particular feature does not mean that the feature cannot be associated or equated to another feature in another drawing figure or description. Further, where two or more reference numerals are used in the figures or in the drawings, this should not be construed as being limited to only those embodiments or features, they are equally applicable to similar features or not a reference numeral is used or another reference numeral is omitted. Also, when the phrase “at least one of A and B” is used, this phrase is intended to and is hereby defined as a choice of A or B or both A and B, which is similar to the phrase “and/or”. Where more than two variables are present in such a phrase, this phrase is hereby defined as including only one of the variables, any one of the variables, any combination of any of the variables, and all of the variables.

The foregoing description and accompanying drawings illustrate the principles and modes of operation of certain embodiments. However, these embodiments should not be considered limiting. Additional variations of the embodiments discussed above will be appreciated by those skilled in the art and the above-described embodiments should be regarded as illustrative rather than restrictive. Accordingly, it should be appreciated that variations to those embodiments can be made by those skilled in the art without departing from the scope of the invention as defined by the following claims.

Claims

WHAT IS CLAIMED IS:

1. A method of operating a sender computing apparatus to securely transmit a secret to a recipient over a data network, comprising: computing a first cipher from (i) a secret data element, (ii) at least one noise data element and (iii) a first set of public data elements, the first set of public data elements corresponding to a first set of recipient-held data elements that are unknown to the sender computing apparatus; computing a second cipher from (i) the secret data element, (ii) the at least one noise data element and (iii) a second set of public data elements, the second set of public data elements corresponding to a second set of recipient-held data elements that are unknown to the sender computing apparatus; transmitting the first cipher and the second cipher to the recipient over the data network; wherein the secret data element is derivable by a predefined arithmetic computation involving (i) the first cipher, (ii) the second cipher, (iii) the first set of recipient-held data elements and (iv) the second set of recipient-held data elements.

2. The method defined in claim 1, wherein the first cipher is computed as a first multi -variate polynomial function of the secret data element and the at least one noise data element, with coefficients of the first multi-variate polynomial being the first set of public data elements.

3. The method defined in claim 2, wherein the second cipher is computed as a second multi -variate polynomial function of the secret data element and the at least one noise data element, with coefficients of the second multi-variate polynomial being the second set of public data elements.

4. The method defined in claim 3, wherein the at least one noise data element includes a single noise data element and the first and second polynomial functions are bi-variate polynomial functions whose variables are the secret data element and the single noise data element.

5. The method defined in claim 3, wherein the at least one noise data element includes two noise data elements and the first and second polynomial functions are tri-variate polynomial functions whose variables are the secret data element and the two noise data elements.

6. The method defined in claim 3, wherein the at least one noise data element includes Z-l noise data elements and the first and second polynomial functions have Z variables that are the secret data element and the Z-l noise data elements, for Z > 2.

7. The method defined in any one of claims 1 to 6, wherein the at least one noise data element includes a plurality of noise data elements.

8. The method defined in any one of claims 1 to 7, wherein the arithmetic computation comprises a quotient of a first affine function of k and a second affine function of k, where k is the quotient of (i) the sum of the first cipher and a first recipient-held data element in the first set of recipient- held data elements and (ii) the sum of the second cipher and a first recipient-held data element in the second set of recipient-held data elements.

9. The method defined in claim 8, wherein the first affine function of k has a first order coefficient that is a second recipient-held data element in the second set of recipient-held data elements and a constant term that is the negative of a second recipient-held data element in the first set of recipient-held data elements, and wherein the second affine function of k has a first order coefficient that is the negative of a third recipient-held data element in the first set of recipient- held data elements and a constant term that is a third recipient-held data element in the second set of recipient-held data elements.

10. The method defined in any one of claims 1 to 7, wherein the arithmetic computation comprises determining roots of a quadratic or cubic or quartic equation.

11. The method defined in any one of claims 1 to 10, further comprising obtaining the at least one noise data element from a non-transitory storage medium.

12. The method defined in any one of claims 1 to 11, wherein the secret is part of a financial transaction.

13. The method defined in any one of claims 1 to 11, wherein the secret is part of a blockchain transaction.

14. The method defined in any one of claims 1 to 13, further comprising obtaining the first and second sets of public data elements from the recipient.

15. The method defined in claim 14, wherein the first and second sets of public data elements are obtained from the recipient over the data network.

16. The method defined in any one of claims 1 to 13, further comprising obtaining the first and second sets of public data elements from a server connected to the data network by providing the server with an identifier of the recipient and receiving, in return, over the data network, the first and second sets of public data elements.

17. The method defined in any one of claims 1 to 16, wherein the first and second sets of public data elements are published by the recipient.

18. The method defined in any one of claims 1 to 17, wherein the arithmetic computation is carried out modulo M over GF(2^N), where M is a prime number and N is at least as great as 256.

19. A non-transitory computer-readable storage medium comprising computer-executable instructions which, when executed by a processor, cause the processor to carry out a method for securely transmitting a secret to a recipient over a data network, wherein the method comprises: computing a first cipher from a secret data element, at least one noise data element and a first set of public data elements, the first set of public data elements corresponding to a first set of recipient-held data elements that are unknown to the sender computing apparatus; computing a second cipher from the secret data element, the at least one noise data element and a second set of public data elements, the second set of public data elements corresponding to a second set of recipient-held data elements that are unknown to the sender computing apparatus; transmitting the first cipher and the second cipher to the recipient over the data network; wherein the secret data element is derivable by a predefined arithmetic computation involving the first cipher, the second cipher, the first set of recipient-held data elements and the second set of recipient-held data elements.

20. A computing apparatus for secure transmission of a secret to a recipient over a data network, comprising: a network interface for connection to the data network; a non-transitory storage medium storing computer-executable instructions; and a processor configured for executing the instructions so as to (i) compute a first cipher from a secret data element, at least one noise data element and a first set of public data elements, the first set of public data elements corresponding to a first set of recipient-held data elements; (ii) compute a second cipher from the secret data element, the at least one noise data element and a second set of public data elements, the second set of public data elements corresponding to a second set of recipient-held data elements; and (iii) transmit the first cipher and the second cipher to the recipient over the data network; wherein the secret data element is derivable by a predefined arithmetic computation involving the first cipher, the second cipher, the first set of recipient-held data elements and the second set of recipient-held data elements; the first and second sets of recipient-held data elements being unknown to the computing apparatus.

21. A method for operating a local computing device to carry out secure cryptographic decryption of data received from a remote device over a data network, comprising: computing a first set of public data elements and a corresponding first set of locally-held data elements; computing a second set of public data elements and a corresponding second set of locally-held data elements; causing the first set of public data elements and the second set of public data elements to be transmitted to the remote device; receiving a first cipher and a second cipher from the remote device over the data network; combining the first cipher, the second cipher, the first set of locally-held data elements and the second set of locally-held data elements, to obtain a decrypted data element; and storing the decrypted data element in a non-transitory storage medium.

22. The method defined in claim 21, wherein: the first set of public data elements comprises the coefficients of the non-constant terms of a first resultant polynomial obtained by multiplying a multi-variate base polynomial with a first entanglement polynomial, and the first set of locally-held data elements comprises the coefficient of the constant term of the first resultant polynomial and the coefficients of the first entanglement polynomial; and the second set of public data elements comprises the coefficients of the non-constant terms of a second resultant polynomial obtained by multiplying the multi-variate base polynomial with a second entanglement polynomial, and the second set of locally-held data elements comprises the coefficient of the constant term of the second resultant polynomial and the coefficients of the second entanglement polynomial.

23. The method defined in claim 22, wherein the multi -variate base polynomial is at least tri -variate and is of order at least 2 in at least one of the three or more variables.

24. The method defined in claim 22, wherein the multi-variate base polynomial is at least tri-variate and is of order at least 2 in each of the three or more variables.

25. The method defined in claim 22, wherein the multi -variate base polynomial is at least bi-variate and the sum of the orders of all variables is at least 5.

26. The method defined in claim 22, wherein the multi -variate base polynomial is of order at least 10.

27. The method defined in claim 22, wherein the multi-variate base polynomial is of order at least 1000

28. The method defined in any one of claims 22 to 27, wherein the first and second entanglement polynomials are each of order 1, 2, 3 or 4.

29. The method defined in any one of claims 22 to 28, wherein the multi-variate base polynomial is a bi-variate polynomial.

30. The method defined in any one of claims 22 to 28, wherein the multi-variate base polynomial is a tri-variate polynomial.

31. The method defined in any one of claims 22 to 30, wherein combining the first cipher, the second cipher, the first set of locally-held data elements and the second set of locally-held data elements, to obtain a decrypted data element, comprises computing a quotient of a first affine function of k and a second affine function of k, where k is the quotient of (i) the sum of the first cipher and the constant term of the first resultant polynomial and (ii) the sum of the second cipher and the constant term of the second resultant polynomial.

32. The method defined in claim 31, wherein the first affine function has a first order coefficient that is the coefficient of the first order term of the second entanglement polynomial and a constant term that is the negative of the coefficient of the first order term of the first entanglement polynomial, and wherein the second affine function has a first order coefficient that is the negative of the constant term of the second entanglement polynomial and a constant term that is the constant term of the first entanglement polynomial.

33. The method defined in any one of claims 22 to 32, wherein combining the first cipher, the second cipher, the first set of locally-held data elements and the second set of locally-held data elements, to obtain a decrypted data element, comprises determining roots of a quadratic or cubic or quartic equation whose three coefficients are each a respective combination of (i) the first cipher, (ii) the second cipher, (iii) the constant term of the first resultant polynomial, (iv) the constant term of the second resultant polynomial, (v) the coefficients of the first entanglement polynomial, and (vi) the coefficients of the second entanglement polynomial.

34. The method defined in claim 33, further comprising selecting one of the roots based on root verification information received from the remote device.

35. The method defined in claim 34, wherein the root verification information is a hash function of the decrypted data element.

36. The method defined in any one of claims 22 to 35, wherein the decrypted data element is part of a financial transaction.

37. The method defined in any one of claims 22 to 35, wherein the decrypted data element is part of a blockchain transaction.

38. The method defined in any one of claims 22 to 35, further comprising encrypting a message with an encryption key that is at least partly based on the decrypted data element, and transmitting the encrypted message to the remote device.

39. The method defined in any one of claims 22 to 38, further comprising storing the first and second sets of locally-held data elements in a memory that is accessible exclusively to the local computing device.

40. The method defined in any one of claims 22 to 39, further comprising preventing the first and second sets of locally-held data elements from being sent to the remote device.

41. The method defined in any one of claims 22 to 40, wherein causing the first set of public data elements and the second set of public data elements to be transmitted to the remote device comprises sending the first and second sets of public data elements to the remote device over the data network.

42. The method defined in any one of claims 22 to 40, wherein causing the first set of public data elements and the second set of public data elements to be transmitted to the remote device comprises sending the first and second sets of public data elements to a server that is accessible by the remote device over the data network.

43. The method defined in any one of claims 22 to 40, wherein causing the first set of public data elements and the second set of public data elements to be transmitted to the remote device comprises publishing the first and second sets of public data elements.

44. The method defined in any one of claims 22 to 43, wherein the combining is carried out modulo M over GF(2^N), where M is a prime number and N is at least as great as 256.

45. A non-transitory computer-readable storage medium comprising computer-executable instructions which, when executed by a processor, cause the processor to carry out a method for secure cryptographic decryption of data received from a remote device over a data network, wherein the method comprises: computing a first set of public data elements and a corresponding first set of locally-held data elements; computing a second set of public data elements and a corresponding second set of locally-held data elements; causing the first set of public data elements and the second set of public data elements to be transmitted to the remote device; receiving a first cipher and a second cipher from the remote device over the data network; combining the first cipher, the second cipher, the first set of locally-held data elements and the second set of locally-held data elements, to obtain a decrypted data element; and storing the decrypted data element in a non-transitory storage medium.

46. A computing apparatus for secure cryptographic decryption of data received from a remote device over a data network, comprising: a network interface for connection to the data network; a non-transitory storage medium storing computer-executable instructions; and a processor configured for executing the instructions so as to (i) compute a first set of public data elements and a corresponding first set of locally-held data elements; (ii) compute a second set of public data elements and a corresponding second set of locally-held data elements; (iii) cause the first set of public data elements and the second set of public data elements to be transmitted to the remote device; (iv) be attentive to receipt of a first cipher and a second cipher from the remote device over the data network; (v) combine the first cipher, the second cipher, the first set of locally-held data elements and the second set of locally-held data elements, to obtain a decrypted data element; and (vi) store the decrypted data element in the non-transitory storage medium.

47. A method of operating a local computing apparatus to digitally sign a document for transmission to a recipient over a data network, comprising: computing a first message-dependent public variable and a second message-dependent public variable based on the document and respective combinations of a first set of locally-held data elements and a second set of locally-held data elements, the first and second sets of locally- held data elements being accessible exclusively to the local computing apparatus; computing a first result that is a first polynomial function of the first message-dependent public variable and the second message-dependent public variable , wherein coefficients of the first polynomial function are a first set of public data elements associated with the local computing apparatus; computing a second result that is a second polynomial function of first second message-dependent public variable and the second message-dependent public variable , wherein coefficients of the second polynomial function are a second set of public data elements associated with the local computing apparatus; computing a signature that is a third function of the first and second results; and sending an augmented message to the recipient over the data network, the augmented message comprising the document, the first message-dependent public variable , the second message- dependent public variable and the signature, wherein the augmented message is verifiable as having been sent by the local computing apparatus by processing the elements of the augmented message.

48. The method defined in claim 47, wherein the document is representative of a financial transaction or a blockchain transaction.

49. A non-transitory computer-readable storage medium comprising computer-executable instructions which, when executed by a processor of a local computing apparatus, cause the processor to carry out a method for digitally signing a document for transmission to a recipient over a data network, wherein the method comprises: computing a first message-dependent public variable and a second message-dependent public variable based on the document and respective combinations of a first set of locally-held data elements and a second set of locally-held data elements, the first and second sets of locally- held data elements being accessible exclusively to the local computing apparatus; computing a first result that is a first polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements associated with the local computing apparatus; computing a second result that is a second polynomial function of first second message-dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements associated with the local computing apparatus; computing a signature that is a third function of the first and second results; and sending an augmented message to the recipient over the data network, the augmented message comprising the document, the first message-dependent public variable, the second message- dependent public variable and the signature, wherein the augmented message is verifiable as having been sent by the local computing apparatus by processing the elements of the augmented message.

50. A computing apparatus digitally signing a document for transmission to a recipient over a data network, comprising: a network interface for connection to the data network; a non-transitory storage medium storing computer-executable instructions; and a processor configured for executing the instructions so as to (i) compute a first message- dependent public variable and a second message-dependent public variable based on the document and respective combinations of a first set of locally-held data elements and a second set of locally-held data elements, the first and second sets of locally-held data elements being accessible exclusively to the computing apparatus; (ii) compute a first result that is a first polynomial function of the first message-dependent public variable and the second message- dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements associated with the computing apparatus; (iii) compute a second result that is a second polynomial function of first second message-dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements associated with the computing apparatus; (iv) compute a signature that is a third function of the first and second results; and (v) send an augmented message to the recipient over the data network, the augmented message comprising the document, the first message-dependent public variable, the second message-dependent public variable and the signature, wherein the augmented message is verifiable as having been sent by the computing apparatus by processing the elements of the augmented message.

51. A method of operating a recipient computing apparatus to digitally verify an augmented message purportedly sent by a sender, the augmented message comprising a document, a first message- dependent public variable, a second message-dependent public variable and a received signature, comprising: computing a first result that is a first polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements known to the recipient computing apparatus as being associated with the sender; computing a second result that is a second polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements known to the recipient computing apparatus as being associated with the sender; computing a candidate signature that is a third function of the first and second results; and comparing the candidate signature to the received signature and concluding successful verification of the augmented message if the candidate signature matches the received signature and unsuccessful verification otherwise.

52. The method defined in claim 51, wherein the document is representative of a financial transaction or a blockchain transaction.

53. A non-transitory computer-readable storage medium comprising computer-executable instructions which, when executed by a processor of a recipient computing apparatus, cause the processor to carry out a method for digitally verifying an augmented message purportedly sent by a sender, the augmented message comprising a document, a first message-dependent public variable, a second message-dependent public variable and a received signature, wherein the method comprises: computing a first result that is a first polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements known to the recipient computing apparatus as being associated with the sender; computing a second result that is a second polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements known to the recipient computing apparatus as being associated with the sender; computing a candidate signature that is a third function of the first and second results; and comparing the candidate signature to the received signature and concluding successful verification of the augmented message if the candidate signature matches the received signature and unsuccessful verification otherwise.

54. A computing apparatus for secure transmission of a secret to a recipient over a data network, comprising: a network interface for connection to the data network; a non-transitory storage medium storing computer-executable instructions; and a processor configured for executing the instructions so as to (i) compute a first result that is a first polynomial function of the first message-dependent public variable and the second message- dependent public variable, wherein coefficients of the first polynomial function are a first set of public data elements known to the recipient computing apparatus as being associated with the sender; (ii) compute a second result that is a second polynomial function of the first message-dependent public variable and the second message-dependent public variable, wherein coefficients of the second polynomial function are a second set of public data elements known to the recipient computing apparatus as being associated with the sender; (iii) compute a candidate signature that is a third function of the first and second results; and (iv) compare the candidate signature to the received signature and concluding successful verification of the augmented message if the candidate signature matches the received signature and unsuccessful verification otherwise.